Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hack3r-0m - onlyEOA modifier will not work as expected after EIP 7702 #48

Open
sherlock-admin2 opened this issue Oct 21, 2024 · 0 comments
Open

hack3r-0m - onlyEOA modifier will not work as expected after EIP 7702 #48

sherlock-admin2 opened this issue Oct 21, 2024 · 0 comments

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Oct 21, 2024
edited
Loading

hack3r-0m

Medium

onlyEOA modifier will not work as expected after EIP 7702

Summary

onlyEOA in MorphoLeverageStrategyExtension relies on tx.origin on certain function like rebalance and ripcord to various attack vectors like sandwiching, re-entrancy, etc.

from EIP 7702:

Once code exists in the EOA, it's possible for self-sponsored EIP-7702 transactions to have msg.sender == tx.origin anytime the code in the EOA dispatches a call. Without EIP-7702, this situation can only ever arise in the topmost execution layer of a transaction. Therefore, this EIP breaks that invariant and so it affects smart contracts containing require(msg.sender == tx.origin) checks. This check is used for at least three purposes:

  1. Ensuring that msg.sender is an EOA (given that tx.origin always has to be an EOA). This invariant does not depend on the execution layer depth and, therefore, is not affected.
  1. Protecting against atomic sandwich attacks like flash loans, which rely on the ability to modify state before and after the execution of the target contract as part of the same atomic transaction. This protection would be broken by this EIP. However, relying on tx.origin in this way is considered bad practice, and can already be circumvented by miners conditionally including transactions in a block.
  1. Preventing reentrancy.

Root Cause

As mentioned in summary, tx.origin check is insufficient

Internal pre-conditions

N/A

External pre-conditions

  • EIP7702 being approved (which is very likely as per ACD in next hardfork)

Attack Path

Sandwich the rebalance and ripcord transaction by selling loanToken/collateralToken, followed by rebalance then buying back loanToken/collateralToken cheaper

It also opens up various possibility of re-entrancy leading to grieving by flash loaning all funds from morpho and calling rebalance inside callback which needs to be explored further for impact.

Impact

Loss for all the LPs due to getting bad exchanges rates or in worst case leading to some undefined behavior due to re-entrancy.

PoC

same as "Attack Path" section

Mitigation

solution for checking EOA or not would be non-trivial post EIP 7702
@sherlock-admin2 sherlock-admin2 changed the title Silly Slate Goblin - onlyEOA modifier will not work as expected after EIP 7702 hack3r-0m - onlyEOA modifier will not work as expected after EIP 7702 Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2